Security Vulnerabilities in Baseboard Management Controllers Rampant, Research Finds

Joint research by Rapid7 and an independent security researcher has spotlighted vulnerabilities in embedded technology used to remotely manage servers known as baseboard management controllers [BMCs].

The Intelligent Platform Management Interface [IPMI] is a server management protocol that runs on the BMC. According to research by Rapid7’s HD Moore and security researcher Dan Farmer, both BMC and IPMI security is being challenged in ways many organizations may not have thought of.

“BMCs are often underappreciated and overlooked during security audits,” blogged Moore, chief security officer at Rapid7. “Like many embedded devices, they tend to respond slowly to tests and have a few non-standard network services in addition to web-based management.”

“The difference between a BMC and say, a printer, is what you get access to once it has been successfully compromised,” he explained. “The BMC has direct access to the motherboard of its host system. This provides the ability to monitor, reboot, and reinstall the host server, with many systems providing interactive KVM access and support for virtual media. In essence, access to the BMC is effectively physical access to the host system. If an attacker can not only login to the BMC, but gain root access to it as well, they may be able to directly access the i2c bus and Super I/O chip of the host system.”

Using a series of network probes sent on UDP port 623, the researchers identified IPMI systems and tested for various vulnerabilities. What they discovered was that roughly 308,000 IPMI-enabled BMCs are exposed to the IPv4 Internet; 195,000 of these devices only support IPMI 1.5, which does not provide any form of encryption; and 113,000 of these devices support IPMI v2.0, which suffers from serious design flaws.

In addition, of the 113,000 that support IPMI specification v2.0, 99,000 were confirmed to expose password hashes, while 53,000 were confirmed to be vulnerable to password bypass due to an encryption method known as Cipher 0 that bypasses the entire authentication process and allows IPMI commands from any source.

“The 53,000 BMCs that allow authentication via Cipher 0 are at immediate risk of compromise,” according to a paper detailing the researchers’ findings.” No exploit code is needed to manipulate these systems as the standard IPMI command-line tools provide the required functionality. An attacker could use the Cipher 0 weakness to configure a backdoor account with administrative privileges. This backdoor could be used to compromise the BMC and the connected server.”

The researchers also discovered 35,000 Supermicro BMCs expose an exploitable Universal Plug and Play (UPnP) service and are vulnerable to remote root compromise. An exploit module for this issue has been available in the Metasploit Framework since March. A root compromise of the BMC can lead to disclosure of clear-text passwords and unauthorized access to the connected server, according to the paper.

Large enterprises should ensure that no IPMI-enabled BMCs are exposed to untrusted networks, and steps should be taken to disable Cipher 0 and set complex passwords, according to the paper. Hosting providers should immediately assess their systems and ensure no internal systems have IPMI exposed to the public network. 

“In addition to vulnerabilities in the IPMI protocol itself, most BMCs seem to suffer from issues common across all embedded devices, namely default passwords, outdated open source software, and, in some cases, backdoor accounts and static encryption keys,” blogged Moore. “The world of BMCs is a mess that is not likely to get better anytime soon, and we need to be crystal clear about the risk these devices pose to our networks.”

More on their findings can be found here.